wifi-scripts: fix ieee80211w override for psk-sae/sae-mixedHEADmaster

The ucode wifi-scripts unconditionally set ieee80211w=1 for psk-sae
and eap-eap2 auth types, ignoring any user-configured value. This
caused ieee80211w=2 (MFP required) to be silently downgraded to 1
(MFP optional) when using sae-mixed encryption.

Change the logic to only set the default of 1 when ieee80211w is not
already configured by the user.

Fixes: https://github.com/openwrt/openwrt/issues/21751
Signed-off-by: Felix Fietkau <nbd@nbd.name>

2 files changed, 3 insertions, 2 deletions

diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
index 4585998d30..5771e0e2df 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/ap.uc
@@ -90,7 +90,8 @@ function iface_auth_type(config) {
 	}
 
 	if (config.auth_type in [ 'psk-sae', 'eap-eap2' ]) {
-		config.ieee80211w = 1;
+		if (!config.ieee80211w)
+			config.ieee80211w = 1;
 		if (config.rsn_override)
 			config.rsn_override_mfp = 2;
 		config.sae_require_mfp = 1;
diff --git a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
index 6d65b5b248..a1daf041a1 100644
--- a/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
+++ b/package/network/config/wifi-scripts/files-ucode/usr/share/ucode/wifi/supplicant.uc
@@ -60,7 +60,7 @@ function setup_sta(data, config) {
 
 	if (config.auth_type in [ 'sae', 'owe', 'eap2', 'eap192' ])
 		config.ieee80211w = 2;
-	else if (config.auth_type in [ 'psk-sae' ])
+	else if (config.auth_type in [ 'psk-sae' ] && !config.ieee80211w)
 		config.ieee80211w = 1;
 	if ((wildcard(data.htmode, 'EHT*') || wildcard(data.htmode, 'HE*')) &&
 		config.rsn_override)